Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/ [bromium.com]) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.

All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.

Did YOU look at the graph? The bars are comparing all of 2013 against the first half of 2014 (obviously, as the second half is in the future). So the fact that IE already matched last year's record is where the 100% figure comes from - it's another way to say "doubled". Unless the second half of 2014 has a lower exploit rate then the conclusion will be correct.

Shouldn't that be worded "vulnerabilities will have increased 100%, assuming this trend continues" and not "vulnerabilities have increased 100%"? At any rate I'm sure you're right that it's what the article author meant.

No they really have already increased 100%.
The trend may continue in the future or it may not, but as of right now the amount of vulnerabilities per unit time is twice as much,or 100% more, than in the past.
Eye-balling from the graph, last year averaged ~10 per month, this year is averaging ~20 per month. A 100% increase.

The number of vulnerabilities per time is not the same as the number of vulnerabilities.You can't say the number of vulnerabilities has increased 100% by using two measurements of vulnerabilities / time and then normalizing both with respect to time. That gets you a normalized number of vulnerabilities per time, not a normalized number of vulnerabilities.

So how can you compare any numbers like this if you don't relate them to a timeframe? Are you trying to say that the graph gives no information whatsoever about the change in number of vulnerabilities? As that seems like nonsense to me.
Comparing this 6 months to the previous 6 months is a clear doubling, unless you have data to show vulnerabilities only ever occur in the first half of any given year. The graph is a summary of the data, clearly the researchers who have access to the raw data would have told

It's simple: You can't say an amount has increased by X when you're comparing rates.If they want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

The first 6 months of 2014 has seen a 100% increase in vulnerabilities compared to the previous 6 months.
They already mentioned that the timeframe of interest in the first line of the summary was 6 months.
The amount 133 is ~twice as big as 65.
The amount has increased by more than 100%.

They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.

They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.

If you have 10 vulnerabilities from January 1st through June 30th of 2014 and you have 10 vulnerabilities from January first through December 31st of 2013, that does not mean the number of vulnerabilities has increased by 100%.The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.

They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities. That's fine, and it's pretty safe to assume it will end up being f

divide 2013 up into 1st half and 2nd half if you want to compare totals and make that claim regarding totals.

I believe I already did. 130 divided by 2 is 65.
The amount for the first 6 months of 2014 is a 100% or more increase on the amount in the second half of 2013.
Or , The amount for 6 months of 2014 is a 100% or more increase on the corresponding period in 2013
Take your pick. I'm not sure why you think a 1 year time frame is somehow magical when counting amounts.

OK I'll admit that I didn't notice the H1 in the graph right away but...

Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have. It would have been better if the author had compared the first half of 2013 to the first half of 2014. At least that way the comparison is grounded in facts not speculation.

the graph compares all of 2013 with the first half of 2014. The implication being that, if so far this year there have been as many vulnerabilities as all of last year, then by the end of the year there will be twice as many. It is very poor analysis as there might be no more bugs found this year, a million bugs found this year, or something in between.

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase, without a huge reason for concern. They also state:

a trend underscored by a progressively shorter time to first patch for its past two releases

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.
It also goes on to say in the report

Both IE exploits released in 2014 (CVE
-2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode

Which really leads me to believe that the numbers really did go from 1 to 2, and that the exploits were more due to flash than they were to specific functionality in IE. MS was able to work around the bug by stopping it at the first step, but looks like the exploit isn't possible without Flash.

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase

and

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.

You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability.
Have you considered running damage control for disgraced politicians?

Have you considered reading the article before criticizing someone else's analysis of it?

Apparently not.

Have you considered WHOOSH?

But since you didn't quite get it.....

Do you think that IE going from 1 Vulnerability to 2 vulnerabilities is someonhow, in some way, anywhere even close to the dog's breakfast that IE is? Seriously?

Have you considered that using a quick patch as indication of the security is ever to be considered a good thing, an excellent ecample of just how darn secure a browser is? If they made a patch every 15 seconds from here to eternity, if would be proof of the best darn browser, mo

IE had fewer vulnerabilities last year than Chrome, or Firefox. This year it has more. Thats not a slam dunk, or an indication that IE is a dogs breakfast.

Ie has been substantially rewritten since the IE6 days, and is a sort-of-decent browser these days. These days its firefox thats the dogs breakfast; the only saving grace it has is its low userbase and its strong extension support that can plug some of the glaring holes (like its crappy 1-process architecture, its lack of sandboxing for anything, etc).

There WAS no 100% increase. The article misinterprets the graph, and the report that it references contradicts its analysis. IE rose from some ~130 vulns to some 140 vulns; thats not 100%, its like 5%.

Like Mugato, I feel like Im taking crazy pills here. Almost noone bothered to fact check the original report, but everyone has an opinion on it. Keep doing what you do, slashdot.

Assuming the graph is not also bullshit, the correct story is that in the first 6 months of 2014 (1H 2014 on the graph), IE has had more vulnerabilities than all of 2013. IF this keeps up, then by the end of 2014, IE will have had more than a 100% increase in the number of vulnerabilities over last year.

Except that you cant predict the future, so you dont know how many will be reported by the end of 2014. Extrapolation only works when you have a reason to justify it; neither you, nor the article does, and the original paper does not make that (dumb) extrapolation.

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were.

How this was modded insightful I'll never know.
Someone must be exploiting a vulnerability in your pdf viewer/browser that is causing it to not work properly (IE maybe), because mine clearly shown in the appendix at the bottom.
Internet explorer:
2013 130 vulnerabilities
H1-2014 133 vulnerabilities

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

I'm not sure either the OP or this one understand what NIH means. It's part of the EEE [wikipedia.org] philosophy. Look for a hot new technology in the consumer space. Identify the leaders in that space. Purchase one of the leaders and modify the technology so that it is no longer 100% compatible with anybody else's version of the tech. Market the hell out of your version and destroy the competition. Internet Explorer [wikipedia.org] was licensed from Spyglass [wikipedia.org] and all version of IE up to 6 were based on that code. In this case Microsoft w

I actually believe it would be beneficial if all browser switched to webkit/blink. Having everyone switch to the same engine is not the same as having only one dominant browser. The issue in the past was that IE was the dominant browser and was only developed and maintained by Microsoft, however, with webkit/blink its not a single entity contributing to the development, everyone who is using it actively improving it. I think Microsoft joining the effort will improve browser compatibility.

That's an odd conclusion to draw from the report. What it actually says is:

1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
2. Number of public exploits in IE decreases from 11 to 3 in that same period
3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11

If by "astroturf" you mean "readers genuinely confused by a tersely written article and report", then yes. Why are Slashdotters so quick to conclude that Slashdotters are all corporate shills? You would think that Slashdotters of all people would know that Slashdotters aren't.

Don't blame it on the writing. There was a chart, and a table at the end, both perfectly clear. And terseness means they were both very easy to find. I expect slashdotters to be able to read a simple bar chart - to read the labels as well as the length of the bars. If they can't, GTFO.

Staying the same numerical value is a '100% increase' if the time-frame you are discussing is 1/2 as long as before.
Don't worry, you're not the only person to fail at reading comprehension while trying to display you mathematical prowess.

Pfft, as if any Windoze users have IE11 installed. Poppycock! Your figure of "80 days to 5" between "dinosaur" and "current" versions of Internet Explorer are of no relevance. You're clearly in the pay of Micro$haft.

Reporting on a 'percentage increase' in vulnerabilities really doesn't give you an idea of how large of a problem there really is. I didn't read TFA after seeing the garbage headline, but it's probably not worth my time. If there were no vulnerabilities and suddenly there was one, that's an increase of an infinite percent!!! Also, does this mean the number of vulnerabilites increase, or just the ones that people were aware of? Another worthless Microsoft bashing article, nothing to see here. Head on o

Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.

Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.

History shows that more than 80% of windows vulnerabilities are IE based. Only the gullible and foolish would use such an unsecure and worthless piece of crapware. IE has never been good M$ couldn't even give it away when Netscape cost money. Nobody would use it when it was free. M$ had to incorporate it into the OS before they got any real market share.

I use I.E. for one reason these days. Every company I end up working for has some internal business application that only gets tested and supported on I.E. and this is particularly the case after I lock down Firefox for actual web browsing. These kind of internal business applications often fail with even minimal security restrictions.

I hold out little hope that apps designed to be run in controlled environments will ever work with a decently locked down browser. The issue is that the most vulnerable busine

The summary is absolute garbage; it implies that the number of vulnerabilities is doubled (it isnt), that IE security is worse (but public exploits are reduced from last year, and mean time to patch is vastly reduced), and that its always been worse (last year, Chrome and Firefox had more exploits than IE).

Good points. The first thing that I thought when I read the summary was that the only way there could be a 100% increase is if the number of previous vulnerabilities was very small. Finding two vulnerabilities in the same period of time in which one was previously found is a 100% increase. Just like finding 60 when the previous amount was 30 is also a 100% increase.

Depends on how those bugs were discovered. If reported by the outside community, chances are hackers might have exploited them before they were patched. Also, the hacker community culture is important. Avoidance is prudent. If a red honda civic is a target for crime, then drive a blue toyota corolla.

I also do not understand, those people still using MSIE, they even send me articles which say that MSIE is more secure as Firefox or Chrome... Well I never have had an trojaner or virus from using Firefox/Mozilla the last +10 years. Have had a lot of problems until I stopped using that big piece of shit/crap MSIE. But of course like Einstein said two things are infinite, the cosmos and human stupidity. And he wasn't sure about the cosmos....

I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

Recently, at my job, we got an email saying that Firefox was considered "at your own risk", and only those with a business need would be allowed to use it. Luckily, IE choked on one of our sites, and I used that as my justification for FF.

In a previous life, I was prohibited from installing FF/Chrome in any way whatsoever, as only a certain image was allowed, and everything in the image had to get vetted by a regulation compliance committee, a legal team, a license vetting team, and so on. So, it was MSIE or no browser.

The good news is that Chrome can come as a signed MSI file, and FrontMotion has repackaged FF as a MSI for easy mass pushes.

MSIE has a unique place. In the enterprise, FIPS 140-2 and Common Criteria

Internal websites/apps that only work in one browser are understandable. I am baffled by the numerous public-facing government websites that, to this day, only work in IE. I haven't seen a non-government site do that since, I don't know, early 2000's maybe?

I've found that people who have always used IE are set in their ways and naturally distrust Firefox or Chrome. My father-in-law has always used IE and was having trouble with it. I got him to install Firefox and try it, but I could tell he totally didn't trust it and I have no doubt that he is still using IE.

IE was required at work but after talking with a a helpdesk tech who admitted they mostly used FF or Chrome, I installed FF on my workstation. Then I got an email from network services that I'd better cut it out; they have lots of in-house stuff on intranet sites that requires active-X. Then I retired, so now all is good.

I am one of those people.
We are stuck on IE 9 and won't be moving anytime soon.
I work at a VERY security aware entity who have everything locked down, but they will only let us use IE 9.
We are allowed to use unapproved software or hardware, but have to get the approval of the CIO which is beyond difficult to get.

I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

Yup. Still at IE8 on my US Gov't workstation. At least they allow us FF now, though the helpdesk is complaining that frequency of FF updates is burdensome to them. Those poor, misguided children have never heard of FF ESR.

Firefox was "more vulnerable" in 2013, and actually for several years post IE9, I believe it was generally considered LESS secure than MSIE due to its lack of common protections (like reduced privlege, sandboxing, etc).

The real surprise here is that people on a tech site continue to use awful metrics for judging things ("works for me", "everyone else hates it, must be bad").